SSH hank attempts bad?

Gary Thornock gthornock at
Wed Apr 12 12:57:17 MDT 2006

--- Chris Carey <chris.carey at> wrote:
> I agree wholeheartedly. What I meant is that its futile to
> block individual IPs. For every one you block, two more will
> appear. For an Internet connected device, one should put a
> policy for security in place that covers all IPs.

Blocking individual IPs really amounts to enumerating badness
[1], which admittedly isn't a very effective security policy
(albeit it *has* significantly reduced the problem, at least on
my server).  The problem is, unless you know that you'll only
be connecting from a very few places, all known in advance, the
alternative (enumerating goodness) is a hard problem.

I like the automatic blocking idea behind DenyHosts, particularly
given its sync functionality and its automatic cleanup of old
blocks.  I wish it were trivial to set it up to update my pf
rules instead of just hosts.deny for ssh.  I also like the
rate-limiting idea that someone mentioned.  I'm going to have to
find out how to do that in pf...

All of that, however, is still only part of a solution.  It's
still important to use enumerated goodness in another context
by allowing connections only from specified users, and it's
still important to disable root access and disable password


PGP Key ID: 071B173D
Fingerprint: ED30 B048 6833 56B4 28C0 CE52 F12B 884A 071B 173D

More information about the PLUG mailing list